Reverse DNS verification, step by step

Forward-confirmed reverse DNS is a two-step handshake. Take the visiting IP and resolve it backward to a hostname; if the claim is honest, the name lands in the operator's domain, like crawl-66-249-66-1.googlebot.com.

The second step is the one people skip: resolve that hostname forward again and confirm it returns the original IP. Anyone can configure their reverse DNS to say anything; only the operator can make the forward lookup agree.

The method's weakness is operational, not cryptographic — it needs DNS lookups at request time, which is too slow for a hot path. That is why modern verification prefers published IP ranges, compiled ahead of time, with rDNS as the fallback for operators who publish nothing.

← all articles